Merge commit '1994bff130afa04e70db6cc4b45bf324ad3eb8db'

4 files changed, 234 insertions, 0 deletions

diff --git a/metadata/glsa/glsa-201705-11.xml b/metadata/glsa/glsa-201705-11.xml
new file mode 100644
index 000000000000..1984fe580df3
--- /dev/null
+++ b/metadata/glsa/glsa-201705-11.xml
@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201705-11">
+  <title>Xen: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Xen, the worst of which
+    could allow for privilege escalation.
+  </synopsis>
+  <product type="ebuild">xen</product>
+  <announced>2017-05-26</announced>
+  <revised>2017-05-26: 1</revised>
+  <bug>615980</bug>
+  <access>local</access>
+  <affected>
+    <package name="app-emulation/xen" auto="yes" arch="*">
+      <unaffected range="ge">4.7.2-r1</unaffected>
+      <vulnerable range="lt">4.7.2-r1</vulnerable>
+    </package>
+    <package name="app-emulation/xen-tools" auto="yes" arch="*">
+      <unaffected range="ge">4.7.2</unaffected>
+      <vulnerable range="lt">4.7.2</vulnerable>
+    </package>
+    <package name="app-emulation/xen-pvgrub" auto="yes" arch="*">
+      <unaffected range="ge">4.7.2</unaffected>
+      <vulnerable range="lt">4.7.2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Xen is a bare-metal hypervisor.</p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Xen. Please review the
+      CVE identifiers and Xen Security Advisory referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A local attacker could potentially execute arbitrary code with
+      privileges of Xen (QEMU) process on the host, gain privileges on the host
+      system, or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Xen users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-4.7.2-r1:0"
+    </code>
+    
+    <p>All Xen Tools users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=app-emulation/xen-tools-4.7.2:0"
+    </code>
+    
+    <p>All Xen pvgrub users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=app-emulation/xen-pvgrub-4.7.2:0"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8903">CVE-2017-8903</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8904">CVE-2017-8904</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8905">CVE-2017-8905</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-05-11T07:53:09Z">BlueKnight</metadata>
+  <metadata tag="submitter" timestamp="2017-05-26T06:07:35Z">BlueKnight</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201705-12.xml b/metadata/glsa/glsa-201705-12.xml
new file mode 100644
index 000000000000..a9b7a5846fc8
--- /dev/null
+++ b/metadata/glsa/glsa-201705-12.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201705-12">
+  <title>Adobe Flash Player: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Adobe Flash Player, the
+    worst of which allows remote attackers to execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">adobe-flash</product>
+  <announced>2017-05-26</announced>
+  <revised>2017-05-26: 1</revised>
+  <bug>617968</bug>
+  <access>remote</access>
+  <affected>
+    <package name="www-plugins/adobe-flash" auto="yes" arch="*">
+      <unaffected range="ge">25.0.0.171</unaffected>
+      <vulnerable range="lt">25.0.0.171</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The Adobe Flash Player is a renderer for the SWF file format, which is
+      commonly used to provide interactive websites.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Adobe Flash Player.
+      Please review the CVE identifiers referenced below for details.
+    </p>
+    
+  </description>
+  <impact type="normal">
+    <p>A remote attacker could possibly execute arbitrary code with the
+      privileges of the process or bypass security restrictions.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Adobe Flash Player users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose
+      "&gt;=www-plugins/adobe-flash-25.0.0.171 :22"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3068">CVE-2017-3068</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3069">CVE-2017-3069</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3070">CVE-2017-3070</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3071">CVE-2017-3071</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3072">CVE-2017-3072</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3073">CVE-2017-3073</uri>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3074">CVE-2017-3074</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-05-11T07:37:48Z">BlueKnight</metadata>
+  <metadata tag="submitter" timestamp="2017-05-26T06:07:53Z">BlueKnight</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201705-13.xml b/metadata/glsa/glsa-201705-13.xml
new file mode 100644
index 000000000000..e8b3d1521ea3
--- /dev/null
+++ b/metadata/glsa/glsa-201705-13.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201705-13">
+  <title>Teeworlds: Remote execution of arbitrary code on client</title>
+  <synopsis>Teeworlds client vulnerability in snap handling could result in
+    execution of arbitrary code.
+  </synopsis>
+  <product type="ebuild">teeworlds</product>
+  <announced>2017-05-26</announced>
+  <revised>2017-05-26: 1</revised>
+  <bug>600178</bug>
+  <access>remote</access>
+  <affected>
+    <package name="games-action/teeworlds" auto="yes" arch="*">
+      <unaffected range="ge">0.6.4</unaffected>
+      <vulnerable range="lt">0.6.4</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Teeworlds is an online multi-player platform 2D shooter</p>
+  </background>
+  <description>
+    <p>Treeworlds client contains a vulnerability allowing a malicious server
+      to execute arbitrary code, or write to arbitrary physical memory via the
+      CClient::ProcessServerPacket method.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote malicious server can write to arbitrary physical memory
+      locations and possibly execute arbitrary if a vulnerable client joins the
+      server.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Teeworlds users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=games-action/teeworlds-0.6.4:0"
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9400">CVE-2016-9400</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-05-09T06:08:59Z">BlueKnight</metadata>
+  <metadata tag="submitter" timestamp="2017-05-26T06:08:11Z">BlueKnight</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201705-14.xml b/metadata/glsa/glsa-201705-14.xml
new file mode 100644
index 000000000000..7b8f5f2c502b
--- /dev/null
+++ b/metadata/glsa/glsa-201705-14.xml
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201705-14">
+  <title>Smb4K: Arbitrary command execution as root</title>
+  <synopsis>A vulnerability in Smb4K could allow local attackers to execute
+    commands as root.
+  </synopsis>
+  <product type="ebuild">smb4k</product>
+  <announced>2017-05-26</announced>
+  <revised>2017-05-26: 1</revised>
+  <bug>618106</bug>
+  <access>local</access>
+  <affected>
+    <package name="net-misc/smb4k" auto="yes" arch="*">
+      <unaffected range="ge">1.2.3-r1 </unaffected>
+      <vulnerable range="lt">1.2.3-r1 </vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Smb4K is a SMB/CIFS (Windows) share browser for KDE.</p>
+  </background>
+  <description>
+    <p>Smb4k contains a logic flaw in which mount helper binary does not
+      properly verify the mount command it is being asked to run.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A local user can execute commands with the root privilege due to the
+      mount helper being installed as suid.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Smb4K users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-misc/smb4k-1.2.3-r1:4 "
+    </code>
+    
+  </resolution>
+  <references>
+    <uri link="http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8849">CVE-2017-8849</uri>
+  </references>
+  <metadata tag="requester" timestamp="2017-05-12T04:22:20Z">BlueKnight</metadata>
+  <metadata tag="submitter" timestamp="2017-05-26T06:08:26Z">BlueKnight</metadata>
+</glsa>